I need to prevent reuse of password hash by another user, for example if a user can create his hash (knowing the password of curse) if he gained access to the database and replace someone else's hash with his, he will be able to log in as that user I was wondering if adding the id of the user to the hash will be good practice, if not, what else can I do? thank you.
If someone can substitute the credentials in your database, and if this is the only thing that determines access to your system, then, yes, the user can cause your system to accept whatever password he chooses.
This is one important reason why many production systems ... used within a company ... and many of the back-side "plumbing" layers of public-facing systems ... do not use passwords of any sort to handle authentication or authorization. Instead, they use "trusted third-party authority" techniques such as LDAP (OpenDirectory) or Kerberos. No one is "whispering magic-words to one another" at any point.
In this scenario, both "authentication" (verifying who the requesting user actually is), and "authorization" (establishing what he can do) are not handled by logic within the systems themselves: these tasks are delegated to a centrally managed corporate authority. There is the concept of a "single sign-on." There are no "passwords" to steal. Even if the system requires the user to respond to a personal-challenge, e.g. to enter a password as part of the procedure, the central authority (software layer) manages everything: providing the challenge, interpreting the response, knowing that a correct response was timely given, and so forth.
These are robust technologies with peer-reviewed, trustworthy implementations that are also cross-platform and industry standard. They're very comprehensive. When you "swipe your badge" to get into your building every morning, they're probably what actually unlocks the door. They can be accessed by PHP, and/or by whatever web-server service is running your PHP application.